ci: discover audit sources#38
Open
jerrysxie wants to merge 2 commits into
Open
Conversation
Update the vet aggregation workflow to discover public audit sources across the organization and include sources.list changes in the automated PR. This keeps the central audit list current as repositories add supply-chain audits. Assisted-by: GitHub Copilot:claude-opus-4.8
jerrysxie
requested review from
RobertZ2011,
felipebalbi,
makubacki and
williampMSFT
There was a problem hiding this comment.
Pull request overview
Updates the vet-aggregate GitHub Actions workflow to automatically discover new cargo-vet audit sources across the OpenDevicePartnership organization and include sources.list changes in the automated aggregation PR.
Changes:
- Add an org-wide discovery step that scans public, non-archived, non-fork repos for
supply-chain/audits.tomland appends new raw URLs tosources.list. - Update PR creation logic to consider diffs in both
sources.listandaudits.toml, and commit both files when changed. - Refresh workflow header comment and PR body text to reflect discovery + aggregation behavior.
RobertZ2011
previously approved these changes
Jun 19, 2026
Resolve each repository's default branch from the org repo listing instead of issuing a separate per-repo API request, removing an N+1 call pattern that grew API usage as the org expands. URL-encode the branch before interpolating it into the git/trees endpoint so default branches containing a slash resolve as a single path segment, and emit a warning when the tree listing fails instead of silently skipping the repository. Assisted-by: GitHub Copilot:claude-opus-4.8
Comment on lines
+67
to
+81
| paths=$(echo "$tree" \ | ||
| | jq -r '.tree[].path | select(test("(^|/)supply-chain/audits\\.toml$"))') | ||
|
|
||
| for path in $paths; do | ||
| # Skip paths nested deeper than five directory levels. | ||
| depth=$(echo "$path" | awk -F/ '{print NF}') | ||
| [ "$depth" -le 6 ] || continue | ||
|
|
||
| url="https://raw.githubusercontent.com/$ORG/$repo/refs/heads/$branch/$path" | ||
| if ! grep -qxF "$url" sources.list; then | ||
| echo "$url" >> sources.list | ||
| echo "Discovered new source: $url" | ||
| added=$((added + 1)) | ||
| fi | ||
| done |
Comment on lines
+62
to
+66
| if ! tree=$(gh api "repos/$ORG/$repo/git/trees/$encoded_branch?recursive=1" 2>/dev/null); then | ||
| echo "::warning::Failed to list tree for $ORG/$repo@$branch; skipping" >&2 | ||
| continue | ||
| fi | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update the vet aggregation workflow to discover public audit sources across the organization and include sources.list changes in the automated PR.
This keeps the central audit list current as repositories add supply-chain audits.
Assisted-by: GitHub Copilot:claude-opus-4.8